Project

General

Profile

Bug #1293

error when trying to view puppet certificates

Added by Joshua Hoblitt over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
PuppetCA
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

I'm getting this error when clicking on Settings -> Smart Proxies -> Certificates . It appears that the proxy is correctly invoking puppetca via sudo.

# rpm -qa | grep foreman
foreman-0.4-0.1rc4.noarch
foreman-proxy-0.3-0.1rc2.noarch
foreman-release-1-1.noarch

The HTTP 500 error message that's returned:

The following error message was observed:
smart_proxy_puppetca_url failed to generate from {:action=>"update", :id=>#, :smart_proxy_id=>"1-ctrl", :controller=>"SmartProxies::Puppetca"}, expected: {:action=>"update", :controller=>"SmartProxies::Puppetca"}, diff: {:id=>#, :smart_proxy_id=>"1-ctrl"}

foreman production.log (IP/hostname's changed)

Processing SmartProxies::PuppetcaController#index (for 1.1.1.1 at 2011-11-02 12:01:29) [GET]
  Parameters: {"smart_proxy_id"=>"1-ctrl"}
Rendering template within layouts/application
Rendering smart_proxies/puppetca/index

ActionView::TemplateError (smart_proxy_puppetca_url failed to generate from {:action=>"update", :id=>#<SmartProxies::PuppetCA:0x7f89d93198a8 @fingerprint="E9:27:4C:B1:96:7B:5F:B2:78:76:CC:81:7B:17:A1:1E", @smart_proxy_id=1, @name="ctrl.example.com   ", @expires_at=nil, @valid_from=nil, @state="valid">, :smart_proxy_id=>"1-ctrl", :controller=>"SmartProxies::Puppetca"}, expected: {:action=>"update", :controller=>"SmartProxies::Puppetca"}, diff: {:id=>#<SmartProxies::PuppetCA:0x7f89d93198a8 @fingerprint="E9:27:4C:B1:96:7B:5F:B2:78:76:CC:81:7B:17:A1:1E", @smart_proxy_id=1, @name="ctrl.example.com   ", @expires_at=nil, @valid_from=nil, @state="valid">, :smart_proxy_id=>"1-ctrl"}) on line #23 of app/views/smart_proxies/puppetca/index.html.erb:
20:         <td><%= h cert.fingerprint %></td>
21:         <td>
22:           <%= display_link_if_authorized("Sign", hash_for_smart_proxy_puppetca_path(:smart_proxy_id => @proxy.to_param, :id => cert), :method => :put) if cert.state == "pending" %>
23:           <%= display_link_if_authorized("Destroy", hash_for_smart_proxy_puppetca_path(:smart_proxy_id => @proxy.to_param, :id => cert), :confirm => 'Are you sure?', :method => :delete) if cert.state != "revoked"  %>
24:         </td>
25:       </tr>
26:   <% end -%>

    app/helpers/application_helper.rb:105:in `display_link_if_authorized'
    app/views/smart_proxies/puppetca/index.html.erb:23
    app/views/smart_proxies/puppetca/index.html.erb:14:in `each'
    app/views/smart_proxies/puppetca/index.html.erb:14

app/helpers/application_helper.rb:105:in `display_link_if_authorized'
app/views/smart_proxies/puppetca/index.html.erb:23
app/views/smart_proxies/puppetca/index.html.erb:14:in `each'
app/views/smart_proxies/puppetca/index.html.erb:14
Rendering template within layouts/application
Rendering common/500 (500)
[root@ctrl foreman]#

foreman-proxy proxy.log

D, [2011-11-02T12:01:29.999297 #1732] DEBUG -- : Found puppetca at /usr/sbin/puppetca
D, [2011-11-02T12:01:29.999440 #1732] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2011-11-02T12:01:29.999493 #1732] DEBUG -- : Executing /usr/bin/sudo -S /usr/sbin/puppetca --list --all

sudo invocation in /var/log/secure

Nov  2 12:01:30 ctrl-27 sudo: foreman-proxy : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/puppetca --list --all


Related issues

Related to Smart Proxy - Bug #1349: some certificates are shown twiceClosed2011-11-23
Has duplicate Foreman - Bug #1365: Template Error when browsing to Smart Proxy "puppetca"Duplicate2011-11-30

Associated revisions

Revision 23b12ba7 (diff)
Added by Ohad Levy over 7 years ago

fixes #1293 - error when trying to view puppet certificates

History

#1 Updated by Andreas Ntaflos over 7 years ago

Same problem here on Ubuntu 10.04, using Foreman 0.4-~nightlybuild1320199902 and Smart Proxy 0.3-~nightlybuild1320199883, along with Puppet 2.7.6.

Invoking puppetca --list --all as user foreman via sudo apparently works fine, listing all certificates correctly. Can we do anything to help debug this?

#2 Updated by Andreas Ntaflos over 7 years ago

I suppose the following error is related to the problems described above. I get this when trying to provision a new host (using Ubuntu, PXE and Preseed). Booting the installer works fine, the problem appears when the Debian installer tries to retrieve its specified preseed file (as in http://puppet.example.com/foreman/unattended/provision). This shows up as a 500 error to the client, while the Foreman production log shows this:

Processing UnattendedController#provision (for 10.59.1.133 at 2011-11-03 19:37:58) [GET]
Found RISELANCCR01.rise-s.com
**DEPRECATION WARNING*** Managing Puppet CA without a smart-proxy will not be supported in the next release

**DEPRECATION WARNING*** Managing Puppet CA without a smart-proxy will not be supported in the next release
Permission denied - /etc/puppet/autosign.conf
/usr/lib/ruby/1.8/fileutils.rb:1033:in `initialize'
/usr/lib/ruby/1.8/fileutils.rb:1033:in `open'
/usr/lib/ruby/1.8/fileutils.rb:1033:in `touch'
/usr/lib/ruby/1.8/fileutils.rb:1027:in `each'
/usr/lib/ruby/1.8/fileutils.rb:1027:in `touch'
/usr/share/foreman/vendor/plugins/proxy/lib/proxy.rb:131:in `sign'
/usr/share/foreman/app/models/host.rb:210:in `handle_ca'
/usr/share/foreman/app/controllers/unattended_controller.rb:141:in `handle_ca'
Rendering common/500 (500)

#3 Updated by Ohad Levy over 7 years ago

Does the following solves your issue?

diff --git a/app/views/smart_proxies/index.html.erb b/app/views/smart_proxies/index.html.erb
index 1c0d387..6a31a0e 100644
--- a/app/views/smart_proxies/index.html.erb
+++ b/app/views/smart_proxies/index.html.erb
@@ -17,7 +17,7 @@
       <td><%=h proxy.features.to_sentence %></td>
       <td class="ra">
         <% if proxy.features.include? Feature.find_by_name("Puppet CA") -%>
-          <%= display_link_if_authorized "Certificates | ", hash_for_smart_proxy_puppetca_index_path(:smart_proxy_id => proxy) %>
+          <%= display_link_if_authorized "Certificates | ", hash_for_smart_proxy_puppetca_index_path(:smart_proxy_id => proxy.to_param) %>
           <%= display_link_if_authorized "Autosign | ", hash_for_smart_proxy_autosign_index_path(:smart_proxy_id => proxy) %>
         <% end -%>
         <% if SETTINGS[:unattended] and proxy.features.include? Feature.find_by_name("DHCP") -%>

#4 Updated by Joshua Hoblitt over 7 years ago

The patch applied cleanly to 0.4-0.1rc4, restarted apache (running foreman under passenger), and it looks like we're still getting the same error:

The following error message was observed:
smart_proxy_puppetca_url failed to generate from {:action=>"update", :id=>#, :smart_proxy_id=>"1-ctrl", :controller=>"SmartProxies::Puppetca"}, expected: {:action=>"update", :controller=>"SmartProxies::Puppetca"}, diff: {:id=>#, :smart_proxy_id=>"1-ctrl"}

#5 Updated by Ohad Levy over 7 years ago

how about ?

diff --git a/app/views/smart_proxies/puppetca/index.html.erb b/app/views/smart_proxies/puppetca/index.html.erb
index 90d625d..21037bb 100644
--- a/app/views/smart_proxies/puppetca/index.html.erb
+++ b/app/views/smart_proxies/puppetca/index.html.erb
@@ -19,8 +19,8 @@
         <td><%= time_column cert.expires_at, :tense => :future %></td>
         <td><%= h cert.fingerprint %></td>
         <td>
-          <%= display_link_if_authorized("Sign", hash_for_smart_proxy_puppetca_path(:smart_proxy_id => @proxy.to_param, :id => cert), :me
-          <%= display_link_if_authorized("Destroy", hash_for_smart_proxy_puppetca_path(:smart_proxy_id => @proxy.to_param, :id => cert), 
+          <%= display_link_if_authorized("Sign", hash_for_smart_proxy_puppetca_path(:smart_proxy_id => @proxy.to_param, :id => cert.to_pa
+          <%= display_link_if_authorized("Destroy", hash_for_smart_proxy_puppetca_path(:smart_proxy_id => @proxy.to_param, :id => cert.to
         </td>
       </tr>
   <% end -%>

#6 Updated by Greg Sutcliffe over 7 years ago

I'm also hitting this. Ohad, your patch looks malformed - the lines are truncated, so I can't test it. I can confirm that simply removing the Destroy link makes the page function again, although of course you cannot revoke certificates :)

#7 Updated by Ohad Levy over 7 years ago

  • Target version set to 1.0

Ok, how about?

diff --git a/app/models/smart_proxies/puppet_ca.rb b/app/models/smart_proxies/puppet_ca.rb
index c951904..ac68970 100644
--- a/app/models/smart_proxies/puppet_ca.rb
+++ b/app/models/smart_proxies/puppet_ca.rb
@@ -7,6 +7,7 @@ class SmartProxies::PuppetCA

   def initialize opts
     @name, @state, @fingerprint, @valid_from, @expires_at, @smart_proxy_id = opts.flatten
+    @name.strip!
     @valid_from = Time.parse(@valid_from) unless @valid_from.blank?
     @expires_at = Time.parse(@expires_at) unless @expires_at.blank?
   end

#8 Updated by Paul Mooring over 7 years ago

That change didn't fix it, but I'm having the same problem on a version from the yum repository, rpm -q says:
foreman-0.4-0.2.noarch
foreman-proxy-0.3-0.2.noarch
are the versions I'm running.

#9 Updated by Ohad Levy over 7 years ago

  • Target version changed from 1.0 to 0.4.1

#10 Updated by Greg Sutcliffe over 7 years ago

That results in "Cannot modify frozen string". Avoid editing the name object directly seems to work - e.g:

--- a/app/models/smart_proxies/puppet_ca.rb
+++ b/app/models/smart_proxies/puppet_ca.rb
@@ -20,7 +20,7 @@ class SmartProxies::PuppetCA
           api = ProxyAPI::Puppetca.new({:url => proxy.url})

           certs = api.all.map do |name, properties|
-            new([name, properties['state'], properties['fingerprint'], properties["not_before"], properties["not_after"], proxy.id])
+            new([name.strip, properties['state'], properties['fingerprint'], properties["not_before"], properties["not_after"], proxy.id])
           end.compact

           # save our CA details for 5 seconds

#11 Updated by Yun Zheng Hu over 7 years ago

Greg Sutcliffe wrote:

That results in "Cannot modify frozen string". Avoid editing the name object directly seems to work - e.g:

[...]

I can confirm that this works

#12 Updated by Ohad Levy over 7 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF